Repository: mina Updated Branches: refs/heads/2.0 3d5ac4143 -> f7b334472
o Closed the session if we get an SSL exception during the Handshake, to avoid having a valid session being usable but with data being exchanged in plain text... o Added the test case provided by Thomas Papke (DIRMINA-1044) Project: http://git-wip-us.apache.org/repos/asf/mina/repo Commit: http://git-wip-us.apache.org/repos/asf/mina/commit/f7b33447 Tree: http://git-wip-us.apache.org/repos/asf/mina/tree/f7b33447 Diff: http://git-wip-us.apache.org/repos/asf/mina/diff/f7b33447 Branch: refs/heads/2.0 Commit: f7b334472c6a2a545bf007014a29a8e69e6d224f Parents: 3d5ac41 Author: Emmanuel Lécharny <elecha...@symas.com> Authored: Mon Sep 19 12:24:00 2016 +0200 Committer: Emmanuel Lécharny <elecha...@symas.com> Committed: Mon Sep 19 12:24:00 2016 +0200 ---------------------------------------------------------------------- .../org/apache/mina/filter/ssl/SslFilter.java | 3 + .../org/apache/mina/filter/ssl/SslTest.java | 107 ++++++++++++++++--- 2 files changed, 96 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mina/blob/f7b33447/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java ---------------------------------------------------------------------- diff --git a/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java b/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java index e91ab6b..7acb123 100644 --- a/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java +++ b/mina-core/src/main/java/org/apache/mina/filter/ssl/SslFilter.java @@ -519,6 +519,9 @@ public class SslFilter extends IoFilterAdapter { SSLException newSsle = new SSLHandshakeException("SSL handshake failed."); newSsle.initCause(ssle); ssle = newSsle; + + // Close the session immediately, the handshake has failed + session.closeNow(); } else { // Free the SSL Handler buffers sslHandler.release(); http://git-wip-us.apache.org/repos/asf/mina/blob/f7b33447/mina-core/src/test/java/org/apache/mina/filter/ssl/SslTest.java ---------------------------------------------------------------------- diff --git a/mina-core/src/test/java/org/apache/mina/filter/ssl/SslTest.java b/mina-core/src/test/java/org/apache/mina/filter/ssl/SslTest.java index 840ea4e..23d7fd8 100644 --- a/mina-core/src/test/java/org/apache/mina/filter/ssl/SslTest.java +++ b/mina-core/src/test/java/org/apache/mina/filter/ssl/SslTest.java @@ -24,6 +24,7 @@ import java.io.InputStreamReader; import java.net.InetAddress; import java.net.InetSocketAddress; import java.net.Socket; +import java.net.SocketTimeoutException; import java.security.GeneralSecurityException; import java.security.KeyStore; import java.security.Security; @@ -57,6 +58,8 @@ public class SslTest { private static InetAddress address; private static SSLSocketFactory factory; + + private static NioSocketAcceptor acceptor; /** A JVM independant KEY_MANAGER_FACTORY algorithm */ private static final String KEY_MANAGER_FACTORY_ALGORITHM; @@ -96,7 +99,7 @@ public class SslTest { * protocol codec filter */ private static void startServer() throws Exception { - NioSocketAcceptor acceptor = new NioSocketAcceptor(); + acceptor = new NioSocketAcceptor(); acceptor.setReuseAddress(true); DefaultIoFilterChainBuilder filters = acceptor.getFilterChain(); @@ -104,6 +107,7 @@ public class SslTest { // Inject the SSL filter SslFilter sslFilter = new SslFilter(createSSLContext()); filters.addLast("sslFilter", sslFilter); + sslFilter.setNeedClientAuth(true); // Inject the TestLine codec filter filters.addLast("text", new ProtocolCodecFilter(new TextLineCodecFactory())); @@ -111,6 +115,10 @@ public class SslTest { acceptor.setHandler(new TestHandler()); acceptor.bind(new InetSocketAddress(port)); } + + private static void stopServer() { + acceptor.dispose(); + } /** * Starts a client which will connect twice using SSL @@ -169,20 +177,91 @@ public class SslTest { @Test public void testSSL() throws Exception { - startServer(); - - Thread t = new Thread() { - public void run() { - try { - startClient(); - } catch (Exception e) { - clientError = e; + try { + startServer(); + + Thread t = new Thread() { + public void run() { + try { + startClient(); + } catch (Exception e) { + clientError = e; + } } + }; + t.start(); + t.join(); + + if (clientError != null) { + throw clientError; } - }; - t.start(); - t.join(); - if (clientError != null) - throw clientError; + } finally { + stopServer(); + } + } + + + @Test + public void unsecureClientTryToConnectoToSecureServer() throws Exception { + try { + startServer(); // Start Server with SSLFilter + + //Now start a client without any SSL + Thread t = new Thread() { + @Override + public void run() { + try { + address = InetAddress.getByName("localhost"); + + Socket socket = new Socket(address, port); + socket.setSoTimeout(10000); + + String response = null; + + while (response == null) { + try { + System.out.println(socket.isConnected()); + // System.out.println("Client sending: hello"); + socket.getOutputStream().write("hello \n".getBytes()); + socket.getOutputStream().flush(); + socket.setSoTimeout(1000); + + // System.out.println("Client sending: send"); + socket.getOutputStream().write("send\n".getBytes()); + socket.getOutputStream().flush(); + + BufferedReader in = new BufferedReader(new InputStreamReader(socket.getInputStream())); + String line = ""; + + while ((line = in.readLine()) != null) { + response = response + line; + } + } catch (SocketTimeoutException timeout) { + // donothing + timeout.printStackTrace(); + } + } + + if (response.contains("AAAAAAA")){ + throw new IllegalStateException("getting response:" + response); + } + + // System.out.println("Client got: " + line); + socket.close(); + } catch (Exception e) { + clientError = e; + } + } + }; + + t.start(); + t.join(); + + if (clientError != null) { + throw clientError; + } + } finally { + stopServer(); + } } }